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TRANSMITTAL OF APPEAL BRIEF 
(PATENT APPLICATION-^ CF.R. § 41,37) 

1- Transmitted herewith, is the APPEAL BRIEF in this application, with respect to the Notice of 
Appeal filed on January 12, 2006. 

2, STATUS OF APPLICANT 

This application is on behalf of other than a small entity. 
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made to provide for the possibility that applicant has inadvertently overlooked the need for a 
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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
In re application of: 
Handong Wuetal. 
Application No. 1 0/091 ,645 
Filed: 03/05/2002 



For: NETWORK INTRUSION 
DETECTION AND ANALYSIS SYSTEM 
AND METHOD 



Group Art Unit: 2132 
Examiner: Horaayounmehr, Farid 
Date: April 12, 2006 



Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 223 13-1450 

ATTENTION: Board of Patent Appeals and Interferences 

APPEAL BRIEF (37 C.F.R. § 41.37) 

This brief is in furtherance of the Notice of Appeal, filed in this case on 01/12/2006. 

The fees required under § 1.17, and any required petition for extension of time for filing this brief 
and fees therefor, are dealt with in the accompanying TRANSMITTAL OF APPEAL BRIEF. 

This brief contains these items under the following headings, and in the order set forth below (37 
C.F.R. § 41.37(c)(0): 



I REAL PARTY IN INTEREST 

II RELATED APPEALS AND INTERFERENCES 
in STATUS OF CLAIMS 

IV STATUS OF AMENDMENTS 

V SUMMARY OF CLAIMED SUBJECT MATTER 

VI ISSUES 

VII ARGUMENTS 
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VIII APPENDIX OF CLAIMS INVOLVED IN THE APPEAL 

DC APPENDIX LISTING ANY EVIDENCE RELIED ON BY APPELLANT IN THE APPEAL 
X RELATED PROCEEDING APPENDIX 

The final page of this brief bears the practitioners signature. 
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I REAL PARTY IN INTEREST (37 C.F.R. § 4137(c)(l)(i)) 
The real party in interest in this appeal is McAfee, Inc. 
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II RELATED APPEALS AND INTERFERENCES (37 C.F.R. § 4137(c) (l)(ii)) 

With respect to other prior or pending appeals, interferences, or related judicial proceedings that will 
directly affect, or be directly affected by, or have a bearing on the Board's decision in the pending 
appeal, below is a list of such appeals, interferences, or related judicial proceedings. 

No such pending appeals, interferences, or related judicial proceedings exist. 

A Related Proceedings Appendix is appended hereto. 
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m STATUS OF CLAIMS (37 C.F.R. § 41.37(c) (l)(Bi)) 

A. TOTAL NUMBER OF CLAIMS IN APPLICATION 
Claims in the application are: 1-8, 10-1 1, 14-16, and 18-22 

B. STATUS OF ALL THE CLAIMS IN APPLICATION 

1 . Claims withdrawn from consideration: None 

2. Claims pending: 1-8, 10-11, 14-16, and 18-22 

3. Claims allowed: None 

4. Claims rejected: 1-8, 10-1 1, 14-16, and 18-22 

5. Claims cancelled: 9, 12, 13, 17 

C CLAIMS ON APPEAL 

The claims on appeal are: 1-8, 10-1 1, 14-16, and 18-22 

See additional status information in the Appendix of Claims. 



PAGE 10/29 1 RCVD AT 4/12/2006 7:25:14 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF«2/7 ' DNIS:2738300 * CSID:4089714660 * DURATION (mm-ss):0W2 



APR. 12. 2006 4:36PM ZILKA-KOTAB, PC NO. 2537 P. 11 

-6- 

IV STATUS OF AMENDMENTS (37 C.F.R. § 4l.37(c)(l)(iv)) 

As to the status of any amendment filed subsequent to final rejection, there is no amendment after 
final. 



PAGE 1 1/29 * RCVD AT 4/12/2006 7:25:14 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-2/7 * DNlS:2738300 * CSID:4089714660 * DURATION (mm^s):06-22 



APR. 12. 2006 4:36PM ZILKA-KOTAB, PC 



NO. 2537 P. 12 



V SUMMARY OF CLAIMED SUBJECT MATTER (37 C.F.R. § 41.37(c)(l)(v)) 

With respect to a summary of Claims 1 and 19, as shown in Figures 1-5, a system, method, and 
computer program product are included for providing an intrusion detection and analysis system, 
Included is a data monitoring device (e.g. see item 16 of Figure 1, etc.) comprising a capture 
engine (e.g. see item 32 of Figure 3 a etc.) operable to capture data passing through the network in 
response to a trigger and configured to monitor network traffic. Also, the data monitoring device 
involves decode protocols for grouping packets into different protocol presentations and 
assembling the packets into high level protocol groups. Finally, the data monitoring device 
analyzes received data for managing the network by collecting statistics, and detecting broken 
lines, traffic loads, and network errors. An intrusion detection device (e.g. see item 14 of Figure 
1 , etc) is separate from the data monitoring device. The intrusion detection device includes a 
detection engine (e.g. see item 34 of Figure 3, etc.) operable to perform intrusion detection on 
data provided by the data monitoring device. Further, the intrusion detection device includes 
application program interfaces configured to allow the intrusion detection device access to 
applications of the data monitoring device to perform intrusion detection. Finally, the intrusion 
detection device includes memory for storing reference network information used by the 
intrusion detection device to determine if an intrusion has occurred. In use, the application 
program interfaces allow the intrusion detection device to leverage the separate data monitoring 
device. For example, the intrusion detection device is allowed to call an application program 
interface configured to open a protocol decoding application associated with the separate data 
monitoring device. Also, the intrusion detection device is allowed to call an application program 
interface configured to open an alarm generation application associated with the separate data 
monitoring device. See, for example, page 7, line 3 - page 12, line 17 et al. 

With respect to a summary of Claim 1 1, the above summary of Claims 1 and 19 is incorporated 
by reference, at least in part. As shown in Figure 4, the intrusion detection device is coupled to 
the data monitoring device and configured to perform intrusion detection on data provided hy the 
data monitoring device. Specifically, an associated method comprises receiving data at the data 
monitoring device. In addition, the method comprises capturing at least a portion of the packets 
contained within the data (e.g. see item 62 of Figure 4, etc.). Still yet, the method comprises 
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allowing the intrusion detection device to call at least one application program interface 
configured to open applications of the data monitoring device. Even still, the method comprises 
performing intrusion detection at the intrusion detection device utilizing at least one of the 
applications of the data monitoring device (e.g. see item 66 of Figure 4, etc.). See, for example, 
page 7, line 3 - page 1 3, line 17 et al. 
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VI ISSUES (37 C.F.R- § 41.37(c)(l)(vi)) 

Following, under each issue listed, is a concise statement setting forth the corresponding ground of 
rejection. 

Issue # 1 : The Examiner has rejected Claims 21 and 22 under 35 U.S.C. 112, first paragraph, as not 
being enabled, 

Issue # 2: The Examiner has rejected Claims 21 and 22 under 35 U.S.C. 1 12, second paragraph, as 
failing to define the invention. 

Issue # 3: The Examiner has rejected Claims 1-19 under 35 U.S.C. 102(e) as being anticipated by or, 
in the alternative, unpatentable under 35 U.S.C 103(a) as being obvious over Vaidya (U.S. Patent 
No. 6,279,1 13) in view of Porras (U.S. Patent Application No. 2003/0101358). 
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VH ARGUMENTS (37 C.F.R. § 4137(c)(l)(vii)) 

The claims of the groups noted below do not stand or fall together. In the present section, appellant 
explains why the claims of each group are believed to be separately patentable. 

Issue #1: 

The Examiner has rejected Claims 21 and 22 under 35 U.S.C. 1 12, first paragraph, as not being 
enabled. With respect to Claim 21 , the Examiner has questioned the exact implication of the 
"frame_context_pointer_position" limitations. With respect to Claim 22, the Examiner has stated 
that Page 12 of the specification only mentions the incision of "fiame_tcp_bridge," 
"frame_udp_bridge," "frame_ip_bridge " and "frame_http_bridge," but does not give a description 
of tihe specific functionality of such elements. 

Appellant respectfully asserts that Page 12 of appellant's disclosure describes the form the API's 
may take, or, in other words, defines the form that the API takes. Thus, according to me claims, the 
API is defined according to "fiame_context_pointer_position" (Claim 21) which includes 
"frame Jcp_bridge; frame_udp_bridge; frame_ip_bridge; and frame_http_bridge" (Claim 22). 

Issue #2: 

The Examiner has rejected Claims 21 and 22 under 35 U.S.C. 1 12, second paragraph, as failing to 
define the invention. Appellant respectfully disagrees. In particular, the Examiner has simply made 
a blanket assertion regarding this issue without providing any specifics, To this end, appellant 
respectfully finds the Examiner's rejection baseless. 

Issue #3: 

The Examiner has rejected Claims 1-20 under 35 U.S.C. 102(e) as being anticipated by or, in the 
alternative, unpatentable under 35 U.S.C. 103(a) as being obvious over Vaidya (U.S. Patent No. 
6,279,1 1 3) in view of Porras (U.S. Patent Application No. 2003/01 01358). 
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Grouptil: Claims 1-8, 10, 14A5, and 18-20 

With respect to each of the independent claims, and specifically appellant's claimed "intrusion 
detection device separate from the data monitoring device/' the Examiner has argued, in the 
latest Office Action dated 1 1/30/2005, that appellant's claimed "intrusion detection device 
separate from the data monitoring device** is only separate in functionality. Appellant 
respectfully points out page 7, line 14-page 8, line 6, along with associated Figure 1, which 
cleaily shows that the network analysis and data monitoring device 16 and the intrusion detection 
device 14 are separate devices, and not merely that they perform separate functionality, as the 
Examiner contends. 

The Examiner has also argued that Vaidya does not limit his invention to one processor only. In 
making such an assertion, the Examiner has referenced Figure 4, items 36, 34 and 38 as being 
separate modules to perform separate functionalities. Appellant respectfully asserts that Figure 4 
only discloses modules that work with the virtual processor, but not that such modules are 
separate processors . Thus, appellant respectfully asserts that the only processing device in 
Vaidya is the virtual processor . Furthermore, the modules relied on by the Examiner do not 
provide the separate functionality claimed by appellant, namely "captur[ing] data passing 
through the network " ''perforating] intrusion detection," etc. 

Still yet, the Examiner has argued that Vaidya performs the functionality of appellant's data 
monitoring device and intrusion detection device in item 36, but that such functionality is 
separate as shown in item 40. Appellant respectfully asserts that item 40, the register cache, 
"temporarily stores information extracted from a data packet which determines which signature 
profile(s) will be accessed from the signature profile memory 39." Clearly, such register cache 
that only extracts information from data packets does not meet appellant's claimed "data 
monitoring device," which specifically "capture[s] data passing through the network," 
"monitors] network traffic," "decode[s] protocols for grouping packets into different protocol 
presentations and assembling the packets into high level protocol groups," and "analyze^] 
received data," in the manner claimed by appellant. Thus, the functionality of items 36 and 40, 
as relied on by the Examiner, does not meet appellant's specific claim language. 
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Furthermore, the Examiner has argued that Vaidya's claim 1, which claims a method of detecting 
intrusion attempts, is broken down into several steps, including monitoring network traffic and 
network intrusion. Appellant emphasizes that merely claiming separate steps does not meet 
appellant's separate devices., as claimed. In addition, simply claiming monitoring network 
traffic, as in Vaidya, does not meet appellant's specifically claimed functionality of a data 
monitoring device that exceeds beyond monitoring network traffic, as excerpted above. 

Appellant agaia respectfully asserts that the appellant's arguments made in the Office Action 
dated 10/12/2005 on page 7, paragraph 4-page 9, paragraph 1 clearly show the distinction 
between Vaidya and appellant's specific claim language. 

With respect to appellant's claimed technique "wherein the application program interfaces allow 
the intrusion detection device to leverage the separate data monitoring device, by allowing the 
intrusion detection device to call an application program interface configured to open a protocol 
decoding application associated with the separate data monitoring device, and by allowing the 
intrusion detection device to call an application program interface configured to open an alarm 
generation application associated with the separate data monitoring device " the Examiner has 
argued that such claim language in addition to the specification does not point out any advantage 
in separation of the intrusion detection device and the data monitoring device, In response, 
appellant points out page 8, lines 3-6 which states that the components, including the intrusion 
detection device and the network analysis and data monitoring device can perform dual 
simultaneous functions, etc. which allows for efficient detection of intrusions in high-speed 
network traffic, 

The Examiner has also argued that such aforementioned claim language would have been 
obvious and well known to a person skilled in the art, and noted Potrass in such regard. 
Specifically, the Examiner has argued that the motivation to use APIs in order to build the 
intrusion detection system would have been to take advantage of an already prepared and well 
tested element to perform part of the required functionality. Appellant respectfully asserts that 
the alleged obviousness of utilizing APIs does not make appellant's specific claim language 
obvious, since appellant does not merely claim using APIs, but instead specifically claims 
"allowing the intrusion detection device to call an application program interface configured to 
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open a protocol decoding application associated with the separate data monitoring device, 
and., .allowing the intrusion detection device to call an application program interface configured 
to open an alarm generation application associated with the separate data monitoring device." 
Thus, each device, as claimed by appellant, is allowed to call API's with specific separate 
functionality such that the intrusion detection device is allowed to leverage the separate data 
monitoring device. These claimed features are simply non-existent in both Vaidya and Porrass. 

With respect to the 102 rejection, the Examiner is reminded that a claim is anticipated only if 
each and every element as set forth in the claim is found, either expressly or inherently described 
in a single prior art reference. Verdegaal Bros. v. Union Oil Co. Of California, 814 F.2d 628, 
631, 2 USPQ2d 1051, 1053 (Fed. Cir. 1987), Moreover, the identical invention must be shown 
in as complete detail as contained in the claim. Richardson v. Suzuki Motor Co. 868 F.2d 1226, 
1236, 9USPQ2d 1913 s 1920 (Fed, Cir. 1989). The elements must be arranged as required by the 
claim, 

With respect to the 103 rejection, to establish a prima facie case of obviousness, three basic 
criteria must be met. First, there must be some suggestion or motivation, either in the references 
themselves or in the knowledge generally available to one of ordinary skill in the art, to modify 
the reference or to combine reference teachings. Second, there must be a reasonable expectation 
of success. Finally, the prior art reference (or references when combined) must teach or suggest 
all the claim limitations. The teaching or suggestion to make the claimed combination and the 
reasonable expectation of success must both be found in the prior art and not based on 
appellant's disclosure. In re Vaeck.947 F.2d 488, 20 USPQ2d 1438 (Fed.Cir.1991). Appellant 
respectfully asserts that at least the third element of the prima facie case of obviousness has not 
been met, since the prior art references fail to teach or suggest all of the claim limitations, as 
noted above. 

Thus, all of the independent claims are deemed allowable. Moreover, the remaining dependent 
claims are further deemed allowable, in view of their dependence on such independent claims. 

Group #2; Claim 11 
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Wiih respect to independent Claim 11, appellant incorporates the arguments made hereinabove 
regarding Group #1. Further, it is noted that Claim 1 1 includes additional language requiring a 
technique of M . . . allowing the intrusion detection device to call at least one application program 
interface configured to open applications of the data monitoring device; and performing intrusion 
detection at the intrusion detection device utilizing at least one of the applications of the data 
monitoring device" (emphasis added). The Examiner relied upon items 26, 32, 34, 36, and 39 of 
Fig. 2, and Col. 6, lines 1-1 1 (see below) from Vaidya to make a prior art showing of such claim 
language. 





^28 








CONFlGURATtON 










GENERATOR 






DATABASE 










HANDLER 


1 








COMM 










MODULE 









SIGNATURE J 



39 



COtOTSORAHON 
BUILDER 
MODULE 



32 



T 



COMM 
MODULE 



0, 



10 



St)S! 
VIRTUAL 
PROCESSOR 



38 



REACTION 
MODULE 



(Vaidya. Fig- 2) 

*Each data collector 10 includes a communication module 34 for 
transmitting and receiving information to and from the data repository 
12. A configuration builder module 32 assigns a set of signature 
profiles to each network object and stores data representative of 
associations between network objects and attack signature profile sets 
in a signature profile memory 39. The configuration builder module 32 
accesses the appropriate attack signature profile sets during operation 
of the data collector 10 and provides the attack signature profiles to 
a stateful dynamic signature inspection (SDSI) virtual processor 36. 
The attack signature profiles include a set of instructions which the 
virtual processor 36 executes to determine whether a particular data 
packet is associated with a network intrusion. Although a preferred 
embodiment of the processor employs the software based virtual 
processor 36 to execute attack signature profiles, a hardware based 
processor can be employed in the place of the virtual processor 36-" 
(Vaidya r Col. 6, lines 1-11 - emphasis added) 

The Examiner has further argued thai "the configuration builder module (item 32) allows the 
intrusion detection device (item 36) access attack signature profiles stored in signature profile 
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memory (item 39).** However, the excerpts merely suggest a technique where "[t]he 
configuration builder module 32 accesses the appropriate attack signature profile sets during 
operation of the data collector 10 and provides the attack signature profiles to a stateful dynamic 
signature inspection (SDSI) virtual processor 36" (emphasis added). Further, the Examiner has 
argued that tc the communication module (item 34) allows intrusion detection device access the 
data in database handler (item 26):' Again, appellant respectfully asserts that the excerpt simply 
teaches a technique where"[e]ach data collector 10 includes a communicat ion module 34 for 
transmitting and receiving information to and from the data repository 12 " (emphasis added). 

To this end, there is clearly not even a suggestion in the above excerpts of a technique of 
"allowing the intrusion detection device to call at least one application program interface 
configured to open applications of the data monitoring device ; and performing intrusion 
detection at the intrusion detection device utilizing at least one of the applications of the data 
monitoring device" (emphasis added), as claimed by appellant. 



Group §3: Claim 16 



With respect to dependent Claim 16, the Examiner has relied on the following excerpts from the 
Vaidya reference to make a prior art showing of appellant's claimed technique "wherein the 
application program interfaces provide parsing of signatures used in signature matching" (see 
Claim 16). 

"The aeguential signature attribute refers to multiple expressions 
which, are sequentially executed on successively transmitted data 
packets associated with an application session. If each of the 
expressions detects the event it was designed to detect, a network 
intrusion has been detected. 

A more formal description of an attack signature in a loose BNR parsing 
grammar follows: 

Pattern := Hex or ASCII string of characters 

Offset :^ integer 

Protocol one of the conununication protocols, ie. MAC-layer 

Network- layer, Transport -layer, or Application- layer 

Extract_Type:= Byte, Word, Long Word or String 

Header_Field:= Predefined keywords for communication 
protocol header fields 

Variable Name:= ASCII character string Name 

SP ~ ^Pattern, offset. Protocol* . . . Search Primitive 

VP :~<E5Ctract_Type, Offset, PrOtocol> . , - Value Primitive 



PAGE 20/29 * RCVD AT 4/12/2006 7:25:14 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-2/7 * DNIS:2738300 ■ CS!D:4089714660 * DURATION (mm-ss):06-22 



APR. 1 2. 2006 4:39PM Z I L KA-KOTAB, PC NO. 2537 P. 21 



-16- 

0P : -<u>gical> . |. <Arithmetic> . |. <Bit-wide> 

I <Association> | -. Operators 
Basic Expression:- <SP>. | .<op>. | .<Header_Pield. | .<SP OP SP>. 

| . <SP OP VP . I . <SP OP Header_Fields> 
Assignment := <Variable_Name> "=•' <Basic_Expression:> 
Complex_Expression := { (<Basic_Ex P ression> OP <Baeic 

Expressions-) . . . } 
Expression t= <Complex_Expression> .|. <Con»plex_Expression:>» ; 

{ (^Assignment*'' ;") . • ■ } 
signature_Attributes := <Sitmple> . |. <Counter-Timer-Based>. | . 

<Sequential-occurrence> 
Attack_8ignature <Signature_Attribute> { <Expression> . . . 

(vaidya, Col. 10, lines 17-45 - emphasis added) 

Appellant respectfully asserts that the excerpt above simply does not meet all of appellant's claim 
limitations. Specifically, the Vaidya excerpt teaches ".. .attack signature in a loose BNR parsing 
grammar. . and that the ". , .sequential signature attribute refers to multiple expressions which are 
sequentially executed on successively transmitted data packets. . ." The BNR parsing grammar and 
multiple expressions, as described by Vaidya, clearly do not, however, meet appellant's specific 
claim language, since Vaidya fails to even suggest a technique "wherein the application program 
interfaces provide parsing of signatures, used in signature matching" (emphasis added), as claimed by 
appellant. 



PAGE 21/29 ' RCVD AT 4/1212006 7:25:14 PM [Eastern Daylight Time] ■ SVR:USPTO-EFXRF-2/7 * DNI8:273830D ' CSID:40897 1 4660 * DURATION (mm-ss):06-22 



APR. 1 2. 2006 4:39PM ZILKA-KOTAB, PC 



NO. 2537 P. 22 



-17- 

VIII APPENDIX OF CLAIMS (37 C-F-R. § 4L37(c)(l)(viii)) 

The text of the claims involved in the appeal (along with associated status information) is set forth 
below: 

1. (Previously Presented) An intrusion detection and analysis system comprising: 

a data monitoring device comprising a capture engine operable to capture data passing 
through the network in response to a trigger and configured to monitor network traffic, decode 
protocols for grouping packets into different protocol presentations and assembling the packets 
into high level protocol groups, and analyze received data for managing the network by 
collecting statistics, and detecting broken lines, traffic loads, and network errors; 

an intrusion detection device separate from the data monitoring device, the intrusion 
detection device comprising a detection engine operable to perform intrusion detection on data 
provided by the data monitoring device; 

application program interfaces configured to allow the intrusion detection device access 
to applications of the data monitoring device to perform intrusion detection; and 

memory for storing reference network information used by the intrusion detection device 
to determine if an intrusion has occurred; 

wherein the application program interfaces allow the intrusion detection device to 
leverage the separate data monitoring device, by allowing the intrusion detection device to call 
an application program interface configured to open a protocol decoding application associated 
with the separate data monitoring device, and by allowing the intrusion detection device to call 
an application program interface configured to open an alarm generation application associated 
with the separate data monitoring device. 

2. (Original) The system of claim 1 wherein the reference network information comprises a 
signature database including signature profiles associated with a known network security 
violation and wherein the detection engine is operable to compare the data provided by the data 
monitoring device with the signature profiles to detect network intrusions. 

3. (Original) The system of claim 2 further comprising a parser operable to parse, generate, and 
load signatures at the detection engine. 
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4. (Original) The system of claim 1 wherein the reference network information comprises a 
baseline state of network traffic and wherein the detect engine is operable to compare the data 
received by the capture engine to the baseline network state and look for anomalies. 

5. (Original) The system of claim 4 wherein the data monitoring device provides the baseline 
state of network traffic. 

6. (Original) The system of claim 1 further comprising a log file configured to at least 
temporarily store reports generated by the detect engine. 

7. (Original) The system of claim 6 further comprising an alarm manager operable to generate 
alarms based on information generated by the log file, 

8. (Original) The system of claim 1 further comprising a filter configured to filter out packets 
received at the data monitoring device, 

9. (Cancelled) 

10. (Original) The system of claim 1 wherein the capture engine is configured to forward 
packets and temporarily store packets for later analysis by the data monitoring device. 

1 1 . (Previously Presented) A method for performing intrusion detection with an intrusion 
detection and analysis system comprising a data monitoring device including a capture engine 
operable to capture data passing through the network in response to a trigger and configured to 
monitor network traffic, decode protocols for grouping packets into different protocol 
presentations and assembling the packets into high level protocol groups, and analyse received 
data for managing the network by collecting statistics, and detecting broken lines, traffic loads, 
and network errors, and an intrusion detection device separate from the data monitoring device, 
the intrusion detection device coupled to the data monitoring device and configured to perform 
intrusion detection on data provided by the data monitoring device; the method comprising: 

receiving data at the data monitoring device; 
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capturing at least a portion of the packets contained within the data; 

by allowing the intrusion detection device to call at least one application program 
interface configured to open applications of the data monitoring device; and 

performing intrusion detection at the intrusion detection device utilizing at least one of 
the applications of the data monitoring device; 

wherein the at least one application program interface allows the intrusion detection 
device to leverage the separate data monitoring device, by allowing the intrusion detection 
device to call an application program interface configured to open a protocol decoding 
application associated with the separate data monitoring device, and by allowing the intrusion 
detection device to call an application program interface configured to open an alarm generation 
application associated with the separate data monitoring device. 

12. (Cancelled) 

13. (Cancelled) 

14. (Original) The method of claim 11 further comprising filtering the data prior to capturing 
packets. 

15. (Original) The method of claim 11 wherein perfonning intrusion detection comprises 
performing signature matching. 

16. (Original) The method of claim 15 wherein the application program interfaces provide 
parsing of signatures used in signature matching. 

17. (Cancelled) 

1 8. (Original) The method of claim 1 1 wherein performing intrusion detection comprises 
detecting anomalies in the received data 

19. (Previously Presented) A computer program product for performing intrusion detection with 
an intrusion detection and analysis system comprising a data monitoring device including a 
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capture engine operable to capture data passing through the network in response to a trigger and 
configured to monitor network traffic, decode protocols for grouping packets into different 
protocol presentations and assembling the packets into high level protocol groups, and analyze 
received data for managing the network by collecting statistics, and detecting broken lines, 
traffic loads, and network errors, and an intrusion detection device separate from the data 
monitoring device, the intrusion detection device coupled to the data monitoring device and 
configured to perform intrusion detection on data provided by the data monitoring device; the 
product comprising: 

code that receives data at the data monitoring device; 

code that captures at least a portion of the packets contained within the data; 

code that calls at least one application program interface configured to open applications 
of the data monitoring device; 

code that performs intrusion detection at the intrusion detection device utilizing at least 
one of the applications of the data monitoring device; and 

a computer-readable storage medium for storing the codes; 

wherein the at least one application program interface allows the intrusion detection 
device to leverage the separate data monitoring device, by allowing the intrusion detection 
device to call an application program interface configured to open a protocol decoding 
application associated with the separate data monitoring device, and by allowing the intrusion 
detection device to call an application program interface configured to open an alarm generation 
application associated with the separate data monitoring device. 



20. (Previously Presented) The computer program product of claim 19 wherein the computer 
readable storage medium is selected from the group consisting of CD-ROM, floppy disk, tape, 
flash memory, system memory, and hard drive. 

2L (Previously Presented) The system of claim 1 wherein at least one of the application 
program interfaces take the form of frame_context_pointer_position. 

22. (Previously Presented) The system of claim 1 wherein at least one of the application 

program interfaces include: 

frame_tcp_bridge, 
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frame_udpjjridge 1 
frame_ip_bridge, and 
frame_http_bridge. 
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IX APPENDIX LISTING ANY EVIDENCE RELIED ON BY APPELLANT IN THE 
APPEAL (37 C.F.R. § 41 .37(c)(I)(ix)) 



There is no such evidence. 
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X RELATED PROCEEDING APPENDIX (37 C.F.R. § 4l37(cXl)(x)) 

N/A 
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In the event a telephone conversation would expedite the prosecution of this application, the 
Examiner may reach the undersigned at (408) 971-2573. For payment of any additional fees due in 
connection with the filing of this paper, the Commissioner is authorized to charge such fees to 
Deposit Account No. 50-1351 (Order No. NAI1P3 17). 



Respectfully 



By:. 




Kevin J. Zilka 
Reg. No. 41, 

Zilka-Kotab/ 
P.O. Box 721120 
San Jose, California 95172-1 120 
Telephone: (408) 971-2573 
Facsimile: (408)971-4660 



Date 
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